The present invention relates to computer networks and more particularly but not exclusively to the protection of information technology (IT) systems against malicious content.
Modern enterprises are reliant on their IT to perform their day-to-day operations. IT systems are continuously used to communicate with partners, providers, customers and other public and private data networks, such as the Internet. Businesses have grown to be dependent on those communication channels.
Unfortunately, these communication channels have been exploited by Malicious Content (Malware), which has become a common problem for today's enterprises. Malicious Content is classified into several categories: computer viruses—malicious computer programs that replicate themselves, worms—computer programs which quickly spread through a computer network and clog up the network, spyware—deceptive software that installs itself on a computer and allows an outsider to harvest private information, and trojan horses—programs that appear to have some useful or benign purpose but really mask some hidden malicious code.
Such malware directly exploits expensive IT resources and exposes internal confidential information to attackers.
An enterprise internal computer network usually comprises of tens to hundreds of thousands interconnected computers. The internal network is usually connected to an external network (or networks), such as the Internet, to carry communications with peers outside the organization. Most of the internal computers are continuously communicating with peers inside and outside the enterprise at the same time, to perform the day-to-day activities. The enterprise's workers, who use those computers, access different channels to transfer information. For example, workers use email to exchange messages and files with peers inside and outside the organization. The World Wide Web is continuously accessed to harvest information, upload files, and download files. Instant messaging programs are becoming popular as means to promptly share information. Recently, removable media devices such as Disk-on-Key®, by M-Systems Inc. are also becoming very popular. All the above-described channels of information transfer are leading directly into the heart of the enterprise and are exploited by malware.
Malware typically disguises itself as business essential data (email, web pages etc.), in order to penetrate into enterprises and then execute its malicious payload inside the enterprise internal networks. As said, penetration into the organization is done by disguising the malware as normal business data that is often communicated over the different channels. Once malware has penetrated into the organization, two main methods are leveraged to execute the malicious payload. These methods are known in the art as social engineering and exploiting software vulnerabilities.
Social engineering is used to trick the malware receiver into believing that the content is safe, important for the business or to the receiver personally. Various methods are used to achieve this goal, such as faking the source contact information (in case of email, for example, the FROM: field may be faked to be a partner, in Web pages the URL may be faked to be the URL of a known partner), creating an appealing content that will make the receiver execute the malware, and generating confusion (for example by faking a technical error and asking the user to run the malware in order to “correct the error”).
Software vulnerabilities are errors in software that allow an attacker to mount an attack on a computer system that is installed with or interacts with the software. Exploiting software vulnerability usually allows the malware creator to execute the malicious content on the target computer system without requiring any authorization from the system owner, user, or administrator. Software vulnerabilities and ways to exploit computer systems using these vulnerabilities are publicly available on security and hacking related posts, newsgroups, and blogs. Malware creators frequently leverage this knowledge in order to allow malware to execute on target computer systems within enterprises.
Several widely popular tools are currently used to fight malware. Three of the most dominant tools known in the art are Firewalls, Anti-virus software and Intrusion detection/prevention systems (IDS/IPS). Most enterprises deploy a combination, or even all of the above mentioned tools. Recent surveys suggest that more than 95% of modern enterprises are using firewalls and anti-virus software, while more than 60% of business enterprises deploy IDS/IPS systems. This emphasizes the significance of the malware problem, faced by enterprises today.
Firewalls provide means to segregate computer networks into separated segments and control the transfer of information between these different segments. Firewalls typically follow a policy that is defined by the enterprise security needs. Such policies usually define what applications (or channels) are allowed to communicate between the different segments and in which direction. For example, a firewall, placed between an internal network and the Internet, may allow only outgoing Web surfing requests. In such a case, if an incoming Web request is encountered at the firewall, it is blocked and all data is discarded.
A popular firewall deployment scheme, illustrated in FIG. 1, includes three zones: an external zone 110, an internal zone 130, and a buffer zone 120. The external zone 110 is connected to all external or public networks (such as the Internet). Internal zone 130 includes all the enterprise computers that need to be filtered from external threats. Buffer zone 120 includes all computers that are serving both internal and external communications, such as mail servers and in some cases Web servers. Firewall 140 is configured with rules to filter data between these three zones.
For example, Shwed et al U.S. Pat. No. 5,835,726, entitled “System for securing the flow of and selectively modifying packets in a computer network” discloses such a firewall system for controlling the inbound and outbound data packet flow in a computer network.
However, Firewalls are become ineffective as malware attacks become similar and indistinguishable from essential business data and are use the same communication channels essential business data is transmitted over. Thus, a firewall policy cannot block communication over such channels without badly affecting on the enterprise operation efficiency.
Anti-viruses aim to detect and remove malicious content threats. Different Anti-virus packages provide different scopes of protection against those threats. Anti-virus software packages are traditionally based on signature banks. These signature banks are created by the Anti-virus software vendors and include unique identifiers for all known malware. Potentially malicious content is scanned for known signatures, or identifiers. When such an identifier is found, a specialized cleaning routine is used to remove the malicious code. Recent anti-virus software packages introduce heuristic-based systems, which utilize a set of inexact procedures, usually in addition to signature banks, in order to fight malware threats that are not included in the signature banks. Some heuristic-based systems dynamically monitor the computer system for abnormal behavior patterns. When such a behavior is detected, the offending process is blocked. Other heuristic-based solutions statically scan for potential malware by looking for known malicious content patterns.
For example, Chi U.S. Pat. No. 5,978,917, entitled “Detection and elimination of macro viruses” teaches a system and method for detecting and eliminating computer viruses of a particular class known as macro viruses. A Macro is a computer program written using a structured programming language and created from within an application program that has a global environment and can create local documents. Normally, a macro can be invoked using a simple command such as a keystroke. The application program can be, for example, Microsoft® Word or Excel. A Macro virus is a virus consisting of one or more macros.
However, malicious content is rapidly becoming similar to business essential data. Over time, in an evolutionary manner, malicious content has adapted the attributes of what is considered to be business essential data. Adopting business essential data attributes allows malware to avoid detection and removal.
An outstanding example can be given lately by malware spreading as email messages. Because email is considered essential to many businesses, most businesses cannot afford to filter out email messages. Malware attacks exploit this fact, and use email as a carrier that is known to enter the enterprise virtual premises relatively easily. Anti-virus solutions have adapted and added the ability to scan email traffic. In order to circumvent those email scanning solutions, some recent malware attacks are spreading using an encrypted email attachment. The password for the encrypted attachment is provided in the email as an image. This creative method allows malware to avoid scanning (because of encryption) while making it extremely difficult for the anti-virus solutions to decrypt the attachment (because recovering the password requires parsing the image, which is a complex and resource demanding activity). The only solution anti-viruses are left with is globally blocking any email messages with an image and an encrypted attachment. This solution clearly blocks non malicious email messages, and thus hurts business essential data flow.
Intrusion Detection and Prevention (IDS/IPS) tools, for example, the McAfee Inc. IntroShield™ line of products, are designed to detect an attack on the organization and prevent it. These tools usually act in real-time (or near real-time). There are two major types of IDS/IPS tools: host based and network based. Host based tools include an agent software that is installed on some of the enterprise hosts, and measures activities such as networking activities and operating system parameters. Network based tools reside at the network level and measure activities that are visible at the network level. Generally, IDS/IPS tools use signature based methods, similar to Anti-viruses, to detect known attack signatures in the measured activities. Some of the IDS/IPS tools incorporate heuristic based approaches to find suspicious activities. Prevention is provided by cutting off communications that are identified to be malicious by a known attack signature, or by a heuristic rule.
As described above, due to malware attacks that cannot be distinguished from essential business data, both signature based IDS/IPS solutions and heuristic based IDS/IPS tools hurt enterprises, as the enterprises cannot freely communicate over their essential communication channels.
New tools which take a role in the fight against malware are patches and patch management systems. Patches are software fixes, usually issued by software vendors to fix detected problems. As far as fighting malware is concerned, patches are used to fix known software vulnerabilities. Once a patch is applied, the software should be immune to the vulnerabilities that the patch solves. Patch management systems are commonly used in enterprises to manage the process of applying software patches to various computer systems. Patch management systems are usually accompanied by enforcement tools that prevent network access from endpoints which are not updated with the latest patch.
Patches and patch management systems are used to fix software vulnerability problems. These patches are always issued after the software vulnerabilities exist and usually after these vulnerabilities are widely spread. A standard software vulnerability lifecycle is illustrated in FIG. 2. This problem follows the following stages: a) the vulnerability is created together with the software or software version 210, b) the vulnerability becomes applicable as soon as the software/version is installed 220, c) the vulnerability is detected and usually publicized 230, d) a patch is developed 240, and e) the patch is applied 250.
It is apparent that the computer system affected by the problem is vulnerable from stage b to stage e. As soon as the vulnerability is detected and publicized (stage c), it draws attention from the public and potential attackers. This increases the potential of an attack exploiting the detected vulnerability, but leaves no remedy to affected computer systems users and administrators. At stage d, when a patch is available, the computer systems users and administrators are thrown into a “patching race”. A patch becomes available and users/administrators rush to apply it. Applying a patch in an enterprise environment is a complex and costly task. It requires lengthy testing and a massive, unplanned, change across a large set of the computer systems installed within the enterprise. Patch management systems allow automation of many related repetitive tasks, but cannot decrease the frequency of patch updates without compromising the security of vulnerable systems.
Thus, two problems arise from patches and patch management: first, enterprises are at risk as soon as they install software that includes a vulnerability problem. The risk potential rises dramatically when the vulnerability is detected and publicized. Second, enterprises are thrown into the “patching race”, rushing to apply each and every relevant patch as soon it becomes available. This activity is massively time and resource demanding.
The above described traditional methods and tools for fighting malware have become inefficient, as widely available statistics clearly state: more than 70% of companies report intrusions during 2002, 2003 and first half of 2004, despite the widespread deployment of the above mentioned methods and tools.
The failure of traditional tools to successfully combat the growing threats posed by malicious software has recently given its part, together with other factors, in pushing many enterprises into re-designing their IT infrastructures into centralized architectures, which essentially call for data centers to be established, in an effort to gain more control and security.
Actually, this recent trend introduces a main frame like architecture, built on top of open systems platforms, using desktop computers installed with “thin layer” clients that no longer run the applications but are only used for interacting users, and strong central servers.
Many vendors, for example, Citrix System Inc, are now offering solutions for implementing such architectures. Other vendors, like X-pert Integrated Systems Inc. offer security systems that are tailored solutions for such architectures.
However, the existing security tools, offered for such architectures, are still reliant on the failing old tools, namely, Firewalls, Anti-viruses, and IPS/IDS systems. Furthermore, many enterprises find a centralized computing architecture much less fitting than a distributed architecture.
The threat posed by the malware problem grows with the improvement in communication capabilities, as a constant decrease in the time it takes for a malware attack to propagate becomes apparent. The time to propagate has decreased from months to hours over the course of the last few years. Current malware attacks propagate to millions of computer systems in just a few hours. Researchers suggest that propagation times will decrease to minutes or even seconds in the next years. As a result, traditional tools and methods for fighting malware become even less affective as not enough time is left, to update signature banks, prepare software patches, or even update heuristic rules.
In addition, recent regulatory compliance standards acknowledge the external malicious risks to internal resources and confidential information and enforce companies to take measures to isolate external threats and remove any potential influences on internal resources.
There is thus a widely recognized need for, and it would be highly advantageous to have a system and method for protecting IT systems against malicious content, which is devoid of the above limitations.